Gnupg 2.1.7 can't decrypt using smartcard key.

perillamint perillamint at
Mon Sep 14 18:43:48 CEST 2015

I tried to generate key using default setting (RSA and RSA) and added
another subkey for authorization purpose. After moving that key to card,
It encrypt/decrypt, and signs well. Thanks!

p.s. GnuPG 2.1.7 seems to have a problem with 4096bit RSA key with
keytocard command. I failed to move my new key to card with 2.1.7 with
GPG complaining about Bad secret key but when I tried with 2.1.8, it
succeeded to move key to card.

On 14/09/15 11:05, NIIBE Yutaka wrote:
> On 09/14/2015 01:30 AM, perillamint wrote:
>> Yes. I generated single key with Signing Certification Encryption
>> Authorization ablity.
>> If it is not supported by GnuPG, Re-generating key with Signing
>> Certification Encryption key (It's GnuPG default. I think..) and adding
>> subkey with Authorization (for SSH auth) can be a solution?
> Let me answer a point by a point.
> Firstly, let me check about the support situation of GnuPG about this
> specific usage of same key on smartcard for singing, decryption, and
> authentication.
> I'm sure that current code of GnuPG 2.1.x doesn't support the usage of
> same key on smartcard.
> In my opinion, OpenPGPcard specification doesn't encourage users to do
> this specific usage, too.
> In GnuPG 2.1.x, access by gpg-agent to scdaemon is done with KEYID of
> "OPENPGP.1", "OPENPGP.2", or "OPENPGP.3" (see the function
> ask_for_card in gnupg/agent/divert-scd.c), by accessing <KEYGRIP>.key
> file under ~/.gnupg/private-keys-v1.d.
> I think that this situation is same in GnuPG 2.0.x.
> In GnuPG 1.4.x (when configured with no agent), access is done with
> SERIALNO.  IIUC, it is possible for GnuPG 1.4.x to allow the usage
> of same key on smartcard.
> Setup of this specific usage requires quite a cumbersome interactions,
> I believe.  It requires multiple invocations of 'gpg --edit-key',
> invocation of subcommand of 'keytocard' and then, quit without saving.
> Secondly, GnuPG's default key generation is generating primary key and
> encryption subkey.  Primary key has capability of Signing (to message)
> and Certification (signing to key), while the subkey of encryption has
> capability of Encryption.  IIUC, this was because of historic reason
> originally, but, it makes sense too (since usage (especially
> revocation) is different and key life-time would be different).  And
> then, if you need, you can add Authentication subkey (for SSH) by
> 'gpg --edit-key' and invoking subcommand addkey (specifying the
> Authentication capability).
> If you don't have enough reason to use a single key material for
> multiple slots of smartcard, it is recommended to follow the default.

More information about the Gnupg-users mailing list